SS-ZKR: Spatial-Semantic Zero-Knowledge Routing for Privacy-Preserving Multi-Agent Collaboration
Pith reviewed 2026-06-28 17:20 UTC · model grok-4.3
The pith
SS-ZKR enables semantic routing of agent payloads across trust boundaries without decrypting content at the router.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
SS-ZKR is a three-mechanism privacy-preserving routing protocol that performs blind routing via differentially private semantic intent vectors bound to zero-knowledge proofs of payload-schema consistency, applies vector-weighted adaptive sanitisation with (epsilon, delta)-differential privacy, and compiles visually defined trust-zone topologies into zero-knowledge access circuits.
What carries the argument
The SS-ZKR three-mechanism stack: Mechanism I binds differentially private intent vectors to zero-knowledge proofs for blind routing; Mechanism II performs adaptive sanitisation; Mechanism III translates spatial trust zones into cryptographic circuits.
If this is right
- Routing intermediaries never need to decrypt agent payloads to make semantic decisions.
- Enterprises in finance, healthcare, and defence can orchestrate AI agents across regulatory boundaries.
- The protocol supplies formal (epsilon, delta)-differential privacy for numerical fields and heuristic protection for text.
- Analytical complexity is lower than TEE-based or fully homomorphic encryption routing alternatives.
Where Pith is reading between the lines
- The protocol could be layered directly on existing W3C DID and VC identity systems for authenticated agent networks.
- Spatial policy definitions might extend to dynamic trust zones that change during agent collaboration sessions.
- Implementation of the provided pseudocode would allow direct measurement of real-world leakage versus the paper's analytical bounds.
Load-bearing premise
The three mechanisms deliver the stated formal privacy guarantees and run efficiently on top of A2A/MCP without new leakage or unacceptable overhead.
What would settle it
A concrete demonstration that payload information can be reconstructed from the published intent vectors beyond the claimed leakage bounds, or measured runtime overhead exceeding the analytical TEE and homomorphic comparisons.
read the original abstract
Foundational agent interoperability standards, notably the Agent-to-Agent (A2A) protocol and the Model Context Protocol (MCP), have advanced multi-agent system communication, and complementary identity frameworks leveraging W3C Decentralised Identifiers (DIDs) and Verifiable Credentials (VCs) provide cryptographic agent authentication. However, no existing protocol supports content-based semantic routing of agent payloads across organisational trust boundaries without requiring the routing intermediary to decrypt the payload, which is a hard constraint in compliance-sensitive environments governed by GDPR, HIPAA, and MiFID II. We propose SS-ZKR, a three-mechanism privacy-preserving routing protocol designed as a complementary layer atop A2A/MCP. Mechanism I introduces blind routing via differentially private semantic intent vectors cryptographically bound to zero-knowledge proofs of payload-schema consistency. Mechanism II offers vector-weighted adaptive payload sanitisation with formal (epsilon, delta)-differential privacy for numerical fields and heuristic semantic aggregation for textual fields. Mechanism III presents a spatial-to-cryptographic policy compiler that translates visually defined trust-zone topologies into deterministic zero-knowledge access circuits. We provide a formal threat model, analyse information leakage bounds of intent vectors, present pseudocode for all three mechanisms, and give analytical complexity comparisons against TEE-based and homomorphic encryption-based routing baselines. SS-ZKR lets enterprises in financial services, healthcare, and defence orchestrate heterogeneous AI agents across regulatory boundaries without exposing proprietary data to routing infrastructure.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes SS-ZKR, a complementary protocol atop A2A/MCP consisting of three mechanisms: (I) blind routing via differentially private semantic intent vectors bound to zero-knowledge proofs of schema consistency, (II) vector-weighted adaptive payload sanitisation providing (ε,δ)-DP for numerical fields and heuristic aggregation for text, and (III) a spatial-to-cryptographic policy compiler converting trust-zone topologies into ZK access circuits. It asserts a formal threat model, information-leakage-bound analysis for intent vectors, pseudocode for the mechanisms, and analytical complexity comparisons versus TEE- and HE-based baselines, enabling enterprises to orchestrate agents across regulatory boundaries without exposing proprietary data to routing infrastructure.
Significance. If the three mechanisms were shown to deliver the stated formal privacy properties with no new leakage channels and acceptable overhead, the result would be significant for compliance-sensitive multi-agent deployments in finance, healthcare, and defence. The work correctly identifies a gap in existing interoperability standards regarding content-based semantic routing without decryption.
major comments (3)
- [Abstract] Abstract: the manuscript states that it 'provide[s] a formal threat model, analyse[s] information leakage bounds of intent vectors, present[s] pseudocode for all three mechanisms, and give[s] analytical complexity comparisons', yet none of these elements (threat model, bounds, equations, proofs, pseudocode, or comparisons) appear in the manuscript.
- [Abstract] Abstract: the central claim that Mechanism I (DP vectors + ZK proofs), Mechanism II (sanitisation), and Mechanism III (policy compiler) together achieve formal (ε,δ)-DP and zero-knowledge routing 'without exposing proprietary data to routing infrastructure' is asserted without any derivation, proof, error bound, or leakage analysis to support it.
- [Abstract] Abstract: the weakest assumption that the mechanisms can be implemented efficiently atop A2A/MCP 'without unacceptable overhead or new leakage' is stated but unsupported by any quantitative results, complexity expressions, or implementation details.
Simulated Author's Rebuttal
We thank the referee for the detailed and constructive report. We acknowledge the discrepancies between the claims in the abstract and the content of the submitted manuscript. We will revise the paper to address these issues by incorporating the missing formal elements.
read point-by-point responses
-
Referee: [Abstract] Abstract: the manuscript states that it 'provide[s] a formal threat model, analyse[s] information leakage bounds of intent vectors, present[s] pseudocode for all three mechanisms, and give[s] analytical complexity comparisons', yet none of these elements (threat model, bounds, equations, proofs, pseudocode, or comparisons) appear in the manuscript.
Authors: We accept this observation. The submitted manuscript does not include the stated elements due to an omission during preparation. In the revised version we will add a formal threat model (new Section 3), information-leakage bounds with supporting equations (Section 4), pseudocode for all three mechanisms (Appendix A), and analytical complexity comparisons against the TEE and HE baselines (Section 5). revision: yes
-
Referee: [Abstract] Abstract: the central claim that Mechanism I (DP vectors + ZK proofs), Mechanism II (sanitisation), and Mechanism III (policy compiler) together achieve formal (ε,δ)-DP and zero-knowledge routing 'without exposing proprietary data to routing infrastructure' is asserted without any derivation, proof, error bound, or leakage analysis to support it.
Authors: We agree that the privacy claims require explicit derivation and proof. The revision will include a formal proof of the combined (ε,δ)-DP guarantee, a leakage analysis for the intent vectors under the stated threat model, and explicit error bounds for the sanitisation and ZK components. revision: yes
-
Referee: [Abstract] Abstract: the weakest assumption that the mechanisms can be implemented efficiently atop A2A/MCP 'without unacceptable overhead or new leakage' is stated but unsupported by any quantitative results, complexity expressions, or implementation details.
Authors: We accept that the efficiency claim lacks quantitative backing in the current draft. The revised manuscript will supply concrete complexity expressions (communication and computation), asymptotic overhead comparisons, and a discussion of potential new leakage channels with mitigation arguments. revision: yes
Circularity Check
No derivation chain or equations present to evaluate for circularity
full rationale
The provided manuscript text consists solely of the abstract and high-level mechanism descriptions with no equations, proofs, fitted parameters, self-citations of load-bearing results, or explicit derivation steps. The paper asserts the existence of a formal threat model, leakage-bound analysis, and complexity comparisons but supplies none of these in the visible content. Without any claimed first-principles results or predictions that could reduce to inputs by construction, no circular steps exist. The work is therefore self-contained against the circularity criteria by absence of any mathematical chain to inspect.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Internet of Agents: Weaving a Web of Heterogeneous Agents for Collaborative Intelligence,
W. Chen, Z. You, R. Li, Y. Guan, C. Qian, C. Zhao, C. Yang, R. Xie, Z. Liu, and M. Sun, "Internet of Agents: Weaving a Web of Heterogeneous Agents for Collaborative Intelligence," in Proc. ICLR, 2025
2025
-
[2]
Internet of Agents: Fundamentals, Applications, and Challenges,
Y. Wang, X. Cao, G. Nan et al., "Internet of Agents: Fundamentals, Applications, and Challenges," IEEE Trans. Cogn. Commun. Netw., accepted, 2025. [Online]. Available: https://arxiv.org/abs/2505.07176
-
[3]
Multiagent Systems in Enterprise AI: Efficiency, Innovation and Vendor Advantage,
Gartner, "Multiagent Systems in Enterprise AI: Efficiency, Innovation and Vendor Advantage," Dec. 2025. [Online]. Available: https://www.gartner.com/en/articles/multiagent-systems
2025
-
[4]
Agentic AI Market: Global Industry Analysis and Forecast 2025 –2030,
MarketsandMarkets, "Agentic AI Market: Global Industry Analysis and Forecast 2025 –2030," Research Report MAI - 2025-AGT, 2025
2025
-
[5]
Announcing the Agent2Agent Protocol (A2A),
Google, "Announcing the Agent2Agent Protocol (A2A)," Google Developers Blog, Apr. 2025. [Online]. Available: https://developers.googleblog.com/en/a2a-a-new-era-of-agent-interoperability/
2025
-
[6]
Model Context Protocol,
Anthropic, "Model Context Protocol," Documentation, 2024. [Online]. Available: https://modelcontextprotocol.io/
2024
-
[7]
Decentralized Identifiers (DIDs) v1.0,
W3C, "Decentralized Identifiers (DIDs) v1.0," W3C Recommendation, Jul. 2022
2022
-
[8]
Verifiable Credentials Data Model v1.1,
W3C, "Verifiable Credentials Data Model v1.1," W3C Recommendation, Mar. 2022
2022
- [9]
-
[10]
Loka protocol: A decentralized framework for trustworthy and ethical ai agent ecosystems,
R. Ranjan, S. Gupta, and S. N. Singh, "LOKA Protocol: A Decentralized Framework for Trustworthy and Ethical AI Agent Ecosystems," arXiv:2504.10915, Apr. 2025
-
[11]
AI Agents with Decentralized Identifiers and Verifiable Credentials
S. Rodriguez Garzon, A. Vaziry, E. M. Kuzu, D. E. Gehrmann, B. Varkan, A. Gaballa, and A. Küpper, "AI Agents with Decentralized Identifiers and Verifiable Credentials," arXiv:2511.02841, Nov. 2025
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[12]
Agent2Agent Protocol is Getting an Upgrade,
Google, "Agent2Agent Protocol is Getting an Upgrade," Google Cloud Blog, Jul. 2025. [Online]. Available: https://cloud.google.com/blog/products/ai-machine-learning/agent2agent-protocol-is-getting-an-upgrade
2025
-
[13]
The Orchestration of Multi -Agent Systems: Architectures, Protocols, and Enterprise Adoption,
A. Adimulam, R. Gupta, and S. Kumar, "The Orchestration of Multi -Agent Systems: Architectures, Protocols, and Enterprise Adoption," arXiv:2601.13671, Jan. 2026
-
[14]
CQRS and Blockchain with Zero-Knowledge Proofs for Multi-Agent Systems,
F. Fanitabasi, "CQRS and Blockchain with Zero-Knowledge Proofs for Multi-Agent Systems," Int. J. Adv. Comput. Sci. Appl., vol. 15, no. 11, 2024
2024
-
[15]
The Agentic Service Bus: A New Architecture for Inter -Agent Communication,
M. Fauscette, "The Agentic Service Bus: A New Architecture for Inter -Agent Communication," Arion Research, Jan
-
[16]
Available: https://www.arionresearch.com/blog/the -agentic-service-bus-a-new-architecture-for-inter- agent-communication
[Online]. Available: https://www.arionresearch.com/blog/the -agentic-service-bus-a-new-architecture-for-inter- agent-communication
-
[17]
What is Microsoft Foundry Agent Service?
Microsoft, "What is Microsoft Foundry Agent Service?" Microsoft Learn, 2025. [Online]. Available: https://learn.microsoft.com/en-us/azure/foundry/agents/overview
2025
-
[18]
2025: The Year Open, Agentic AI Took Center Stage,
IBM, "2025: The Year Open, Agentic AI Took Center Stage," IBM Think, 2025
2025
-
[19]
Internet of Agents Documentation,
AGNTCY, "Internet of Agents Documentation," Linux Foundation, 2025. [Online]. Available: https://docs.agntcy.org/
2025
-
[20]
Practical Techniques for Searches on Encrypted Data,
D. X. Song, D. Wagner, and A. Perrig, "Practical Techniques for Searches on Encrypted Data," in Proc. IEEE S&P, 2000, pp. 44–55
2000
-
[21]
Functional Encryption: Definitions and Challenges,
D. Boneh, A. Sahai, and B. Waters, "Functional Encryption: Definitions and Challenges," in Proc. TCC, 2011, pp. 253– 273
2011
-
[22]
Private Information Retrieval,
B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, "Private Information Retrieval," in Proc. FOCS, 1995, pp. 41–50
1995
-
[23]
Protocols for Secure Computations,
A. C. Yao, "Protocols for Secure Computations," in Proc. FOCS, 1982, pp. 160 –164
1982
-
[24]
Text Embeddings Reveal (Almost) as Much as Text,
J. Morris, V. Kuleshov, V. Shmatikov, and A. Rush, "Text Embeddings Reveal (Almost) as Much as Text," in Proc. EMNLP, 2023, pp. 12448–12460
2023
-
[25]
The Algorithmic Foundations of Differential Privacy,
C. Dwork and A. Roth, "The Algorithmic Foundations of Differential Privacy," Found. Trends Theor. Comput. Sci., vol. 9, nos. 3–4, pp. 211–407, 2014
2014
-
[26]
SP1: A Performant, 100% Open -Source, Contributor -Friendly zkVM,
Succinct Labs, "SP1: A Performant, 100% Open -Source, Contributor -Friendly zkVM," 2024. [Online]. Available: https://github.com/succinctlabs/sp1
2024
-
[27]
Security of Internet of Agents: Attacks and Countermeasures,
Y. Wang, X. Cao, G. Nan et al., "Security of Internet of Agents: Attacks and Countermeasures," arXiv:2505.08807, May 2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.